Am 17.06.24 um 22:16 schrieb Jeremy Sowden:
On 2024-06-17, at 15:57:05 +0200, Michael Biebl wrote:Source: iptables Version: 1.8.10-4 Severity: seriousThe cherry-pick of the commit 34f085b1607364f4eaded1140060dcaf965a2649 Revert "xshared: Print protocol numbers if --numeric was given" breaks firewalld, as seen in https://ci.debian.net/packages/f/firewalld/testing/amd64/47810213/ firewalld is very susceptible to changes of the output and command line interface of iptables. See an older issue https://github.com/firewalld/firewalld/issues/1112 Filing with RC severity, so the package doesn't migrate to testing (the debci results should prevent that, but this is just to make doubly sure) This change of iptables afaics has landed in a stable release (bookworm). Do we really want to revert it again and make all users of --numeric have to update again?Hi. Let me explain my understanding of the current situation. I appre- ciate that you probably know most of this already, but I just want to avoid any confusion. Upstream made a change that affected the output of protocols in listings in the presence of the `--numeric` flag. Previously, they were still output by name, after the change they were output by number. This was released upstream in 1.8.9 and made its way into Bookworm. This change broke stuff. As a result of a bug-report: https://bugzilla.netfilter.org/show_bug.cgi?id=1729 upstream reverted the change in commit 34f085b16073 ("Revert "xshared: Print protocol numbers if --numeric was given""). This is where things currently stand upstream: in the next release (1.8.11), the original behaviour will be restored. A report was also created in the BTS: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1067733 In response, I applied the upstream commit and uploaded it to unstable. I have a draft bookworm-pu bug-report that I had intended to send requesting that this change go into Bookworm to minimize the time before the old behaviour is restored. Obviously, I will hold off while we discuss this. :) What do you propose? The firewalld test-suite was updated to work with the new output; however, other tools were not, and upstream reverted the change because there were no compelling reasons for it and it had caused breakage in those tools. As things stand, the old behaviour will be re- stored. Would you rather wait for the next upstream release? Are you suggesting that we ask upstream to revert 34f085b16073? Or do you have something else in mind?
Maybe inform iptables upstream about this.Personally I think it's to late to revert this again. After, it's now two years since this change was committed and you might just as well break tools now which rely on the new/fixed behaviour.
Regards, Michael
OpenPGP_signature.asc
Description: OpenPGP digital signature
